Marilyn Tavenner, prinicipal deputy administrator and chief operating officer of the Centers for Medicare and Medicaid Services. / The Tennessean

by Tom Wilemon, The Tennessean

by Tom Wilemon, The Tennessean

NASHVILLE, Tenn. -- The federal health exchange risks missing its Oct. 1 rollout date because it has yet to prove it can protect people's privacy.

The Office of Inspector General issued a report Monday saying the contractor given the job of developing a system security plan had missed deadlines - the same day the Department of Health and Human Services started allowing people to set up personal accounts and passwords on the website for the federal exchange.

The Health Insurance Marketplace website will ask for Social Security numbers and income information as part of determining whether someone qualifies for subsidies toward buying coverage.

Final security documents were supposed to be submitted to the Inspector General on May 6 and July 1, but a government contractor for the Centers for Medicare and Medicaid Services missed those deadlines, the Inspector General said in its report.

"If there are additional delays in completing the security authorization package, the CMS chief information officer may not have a full assessment of system risks and security controls needed for the security authorization decision by the initial opening period expected to begin Oct. 1," the report said.

CMS Administrator Marilyn Tavenner responded with a letter stating the agency is "confident" the hub site will be operationally secure and have authority to operate prior to Oct. 1 - the date people can start signing up for and buying insurance on the exchange.

These are not the first deadlines missed. On July 2, the Obama administration announced it was delaying for one year the mandate that employers with 50 or more full-time workers provide coverage. The government is also two months behind in funding and training navigators, which are supposed to do community outreach about the exchange.

"Much remains to be accomplished within a relatively short amount of time," John E. Dicken, director of health for the U.S. Government Accountability Office, testified last month before a congressional committee.

He said CMS had spent $394 million as of March 31 on contracts to create the data hub and perform other needed services for the exchange. Quality Software Service Inc. got the contract to set up the data hub. Company representatives did not return telephone calls to The Tennessean.

Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, said the website will not ask for sensitive health information, but it will direct people to answer questions on income and immigration status.

"The security aspects of this data hub are important," McGraw said. "The spotlight that has been shined on it recently is a good thing because the American public should be reassured that the data they enter into the system in order to apply for health insurance or that gets exchanged by various federal agencies in order to determine eligibility is going to be used appropriately and not fall into the wrong hands."

Dr. Mark Frisse, a professor of biomedical informatics at Vanderbilt University, said the government is going through a very formal process to identify any possible privacy risk.

"You plan for all kinds of things - every possible thing you can think of - then say, 'How likely is that to happen?'" Frisse said. "Based on that plan, you then get an approach that minimizes the risk."